Using the RSA Conference in San Francisco this morning as a backdrop, Microsoft announced several new security improvements to Office 365. More specifically, Microsoft unveiled details of a new Office 365 “customer lockbox,” new security and compliance log APIs for developers, and additional options for encrypting Office 365 email.
Once of those aforementioned new features is the Office 365 “Customer Lockbox”, a new feature that, according to a post on the Office blog by Vijay Kumar, senior product marketing manager, and Raji Dani, principal program manager for the Office 365 Security team, “…gives customers explicit control in the very rare instances when a Microsoft engineer may need access to customer content to resolve a customer issue.”
Not to be confused with Apple board member (and former Vice President) Al Gore’s infamous lockbox — as lampooned by Saturday Night Live — the new Office 365 Customer Lockbox is designed to minimize the level of interaction that Microsoft employees have with customer data. According to Kumar and Dani, the service is designed to rely on automation and abstraction to improve security of customer content. “Nearly all service operations performed by Microsoft are fully automated and the human involvement is highly controlled and abstracted away from customer content. As a result, only in rare cases—such as when troubleshooting a customer issue with mailbox or document contents—does a Microsoft engineer have any reason to access customer content in Office 365.”
Another security enhancement to Office 365 will arrive in the form of increased encryption for Office 365 data. Rajesh Jha, corporate vice president for the Office 365 division, wrote in a post on the official Microsoft Office blog that Microsoft would “… implement content-level encryption in addition to the Bitlocker encryption offered today. And in the next year, customers can require Microsoft to use customer-generated and controlled encryption keys to encrypt data at rest.”
Microsoft has bolstered encryption for other Microsoft cloud products recently, namely Microsoft OneDrive for Business.
Jha indicated that the new encryption options would take advantage hardware security modules (certified up to FIPS 140-2 Level 2). Office 365 already does encrypt data in transit and at rest, and Jha also indicated that “…new advanced encryption for email will be provided in Office 365 by the end of 2015.”
Microsoft is also adding features and functionality to allow customers to get even more information from Office 365 logs. In addition, Microsoft has announced a new Office 365 Management Activity API which developers can use information from those logs “…as Security and Compliance signals within solutions that provide monitoring, analysis and data visualization.”